Configure Project Quay

Getting started with Project Quay configuration

Project Quay can be deployed by an independent, standalone configuration, or by using the Project Quay Operator on OpenShift Container Platform.

How you create, retrieve, update, and validate the Project Quay configuration varies depending on the type of deployment you are using. However, the core configuration options are the same for either deployment type. Core configuration is primarily set through a config.yaml file, but can also be set by using the configuration API.

For standalone deployments of Project Quay, you must supply the minimum required configuration parameters before the registry can be started. The minimum requirements to start a Project Quay registry can be found in the "Retrieving the current configuration" section.

If you install Project Quay on OpenShift Container Platform using the Project Quay Operator, you do not need to supply configuration parameters because the Project Quay Operator supplies default information to deploy the registry.

After you have deployed Project Quay with the desired configuration, you should retrieve, and save, the full configuration from your deployment. The full configuration contains additional generated values that you might need when restarting or upgrading your system.

Project Quay configuration disclaimer

With both standalone and Operator-based deployments of Project Quay certain features and configuration parameters are not actively used or implemented. As a result, feature flags, such as those that enable or disable certain features, and configuration parameters that are not explicitly documented or requested for documentation by Red Hat Support, should only be modified with caution. Unused features or parameters might not be fully tested, supported, or compatible with Project Quay. Modifying unused features parameters might lead to unexpected issues or disruptions with your deployment.

For information about configuring Project Quay in standalone deployments, see Advanced Project Quay configuration

For information about configuring Project Quay Operator deployments, see Configuring Project Quay on OpenShift Container Platform

Configuration updates for Project Quay 3.12

The following sections detail new configuration fields added in Project Quay 3.12.

Registry auto-pruning configuration fields

The following configuration fields have been added to Project Quay auto-pruning feature:

Field

Type

Description

NOTIFICATION_TASK_RUN_MINIMUM_INTERVAL_MINUTES

Integer

The interval, in minutes, that defines the frequency to re-run notifications for expiring images.

Default: 300

DEFAULT_NAMESPACE_AUTOPRUNE_POLICY

Object

The default organization-wide auto-prune policy.

.method: number_of_tags

Object

The option specifying the number of tags to keep.

.value: <integer>

Integer

When used with method: number_of_tags, denotes the number of tags to keep.

For example, to keep two tags, specify 2.

.method: creation_date

Object

The option specifying the duration of which to keep tags.

.value: <integer>

Integer

When used with creation_date, denotes how long to keep tags.

Can be set to seconds (s), days (d), months (m), weeks (w), or years (y). Must include a valid integer. For example, to keep tags for one year, specify 1y.

AUTO_PRUNING_DEFAULT_POLICY_POLL_PERIOD

Integer

The period in which the auto-pruner worker runs at the registry level. By default, it is set to run one time per day (one time per 24 hours). Value must be in seconds.

OAuth access token reassignment configuration field

The following configuration field has been added for reassigning OAuth access tokens:

Field

Type

Description

FEATURE_ASSIGN_OAUTH_TOKEN

Boolean

Allows organization administrators to assign OAuth tokens to other users.

Example OAuth access token reassignment YAML

# ...
FEATURE_ASSIGN_OAUTH_TOKEN: true
# ...

Vulnerability detection notification configuration field

The following configuration field has been added to notify users on detected vulnerabilities based on security level:

Field

Type

Description

NOTIFICATION_MIN_SEVERITY_ON_NEW_INDEX

String

Set minimal security level for new notifications on detected vulnerabilities. Avoids creation of large number of notifications after first index. If not defined, defaults to High. Available options include Critical, High, Medium, Low, Negligible, and Unknown.

Example image vulnerability notification YAML

NOTIFICATION_MIN_SEVERITY_ON_NEW_INDEX: High

OCI referrers API configuration field

The following configuration field allows users to list OCI referrers of a manifest under a repository by using the v2 API:

Field

Type

Description

FEATURE_REFERRERS_API

Boolean

Enables OCI 1.1’s referrers API.

Example OCI referrers enablement YAML

# ...
FEATURE_REFERRERS_API: true
# ...

Disable strict logging configuration field

The following configuration field has been added to address when external systems like Splunk or ElasticSearch are configured as audit log destinations but are intermittently unavailable. When set to True, the logging event is logged to the stdout instead.

Field

Type

Description

ALLOW_WITHOUT_STRICT_LOGGING

Boolean

When set to True, if the external log system like Splunk or ElasticSearch is intermittently unavailable, allows users to push images normally. Events are logged to the stdout instead. Overrides ALLOW_PULLS_WITHOUT_STRICT_LOGGING if set.

Example strict logging YAML

# ...
ALLOW_WITHOUT_STRICT_LOGGING: True
# ...

Notification interval configuration field

The following configuration field has been added to enhance Project Quay notifications:

Field

Type

Description

NOTIFICATION_TASK_RUN_MINIMUM_INTERVAL_MINUTES

Integer

The interval, in minutes, that defines the frequency to re-run notifications for expiring images. By default, this field is set to notify Project Quay users of events happening every 5 hours.

Example notification re-run YAML

# ...
NOTIFICATION_TASK_RUN_MINIMUM_INTERVAL_MINUTES: 10
# ...

Clair indexing layer size configuration field

The following configuration field has been added for the Clair security scanner, which allows Project Quay administrators to set a maximum layer size allowed for indexing.

Field

Type

Description

SECURITY_SCANNER_V4_INDEX_MAX_LAYER_SIZE

String

The maximum layer size allowed for indexing. If the layer size exceeds the configured size, the Project Quay UI returns the following message: The manifest for this tag has layer(s) that are too large to index by the Quay Security Scanner. The default is 8G, and the maximum recommended is 10G.
Example: 8G

Editing the configuration file

To deploy a standalone instance of Project Quay, you must provide the minimal configuration information. The requirements for a minimal configuration can be found in "Project Quay minimal configuration."

After supplying the required fields, you can validate your configuration. If there are any issues, they will be highlighted.

For changes to take effect, the registry must be restarted.

Location of configuration file in a standalone deployment

For standalone deployments of Project Quay, the config.yaml file must be specified when starting the Project Quay registry. This file is located in the configuration volume. For example, the configuration file is located at $QUAY/config/config.yaml when deploying Project Quay by the following command:

$ sudo podman run -d --rm -p 80:8080 -p 443:8443 \
   --name=quay \
   -v $QUAY/config:/conf/stack:Z \
   -v $QUAY/storage:/datastorage:Z \
   quay.io/projectquay/quay:v3.13.1

Minimal configuration

The following configuration options are required for a standalone deployment of Project Quay:

Server hostname
HTTP or HTTPS
Authentication type, for example, Database or Lightweight Directory Access Protocol (LDAP)
Secret keys for encrypting data
Storage for images
Database for metadata
Redis for build logs and user events
Tag expiration options

Sample minimal configuration file

The following example shows a sample minimal configuration file that uses local storage for images:

AUTHENTICATION_TYPE: Database
BUILDLOGS_REDIS:
    host: quay-server.example.com
    password: strongpassword
    port: 6379
    ssl: false
DATABASE_SECRET_KEY: 0ce4f796-c295-415b-bf9d-b315114704b8
DB_URI: postgresql://quayuser:quaypass@quay-server.example.com:5432/quay
DEFAULT_TAG_EXPIRATION: 2w
DISTRIBUTED_STORAGE_CONFIG:
    default:
        - LocalStorage
        - storage_path: /datastorage/registry
DISTRIBUTED_STORAGE_DEFAULT_LOCATIONS: []
DISTRIBUTED_STORAGE_PREFERENCE:
    - default
PREFERRED_URL_SCHEME: http
SECRET_KEY: e8f9fe68-1f84-48a8-a05f-02d72e6eccba
SERVER_HOSTNAME: quay-server.example.com
SETUP_COMPLETE: true
TAG_EXPIRATION_OPTIONS:
    - 0s
    - 1d
    - 1w
    - 2w
    - 4w
    - 3y
USER_EVENTS_REDIS:
    host: quay-server.example.com
    port: 6379
    ssl: false

Local storage

Using local storage for images is only recommended when deploying a registry for proof of concept purposes.

When configuring local storage, storage is specified on the command line when starting the registry.

The following command maps a local directory, $QUAY/storage to the datastorage path in the container:

$ sudo podman run -d --rm -p 80:8080 -p 443:8443 \
   --name=quay \
   -v $QUAY/config:/conf/stack:Z \
   -v $QUAY/storage:/datastorage:Z \
   quay.io/projectquay/quay:v3.13.1

Cloud storage

Storage configuration is detailed in the Image storage section. For some users, it might be useful to compare the difference between Google Cloud Platform and local storage configurations. For example, the following YAML presents a Google Cloud Platform storage configuration:

$QUAY/config/config.yaml

DISTRIBUTED_STORAGE_CONFIG:
    default:
        - GoogleCloudStorage
        - access_key: GOOGQIMFB3ABCDEFGHIJKLMN
          bucket_name: quay_bucket
          secret_key: FhDAYe2HeuAKfvZCAGyOioNaaRABCDEFGHIJKLMN
          storage_path: /datastorage/registry
          boto_timeout: 120 (1)
DISTRIBUTED_STORAGE_DEFAULT_LOCATIONS: []
DISTRIBUTED_STORAGE_PREFERENCE:
    - default

Optional. The time, in seconds, until a timeout exception is thrown when attempting to read from a connection. The default is 60 seconds. Also encompasses the time, in seconds, until a timeout exception is thrown when attempting to make a connection. The default is 60 seconds.

When starting the registry using cloud storage, no configuration is required on the command line. For example:

$ sudo podman run -d --rm -p 80:8080 -p 443:8443 \
   --name=quay \
   -v $QUAY/config:/conf/stack:Z \
   quay.io/projectquay/quay:v3.13.1

Configuration fields

This section describes the both required and optional configuration fields when deploying Project Quay.

Required configuration fields

The fields required to configure Project Quay are covered in the following sections:

Automation options

The following sections describe the available automation options for Project Quay deployments:

Pre-configuring Project Quay for automation
Using the API to create the first user

Optional configuration fields

Optional fields for Project Quay can be found in the following sections:

General required fields

The following table describes the required configuration fields for a Project Quay deployment:

Table 1. General required fields
Field	Type	Description
AUTHENTICATION_TYPE (Required)	String	The authentication engine to use for credential authentication. Values: One of `Database`, `LDAP`, `JWT`, `Keystone`, `OIDC` Default: `Database`
PREFERRED_URL_SCHEME (Required)	String	The URL scheme to use when accessing Project Quay. Values: One of `http`, `https` Default: `http`
SERVER_HOSTNAME (Required)	String	The URL at which Project Quay is accessible, without the scheme. Example: `quay-server.example.com`
DATABASE_SECRET_KEY (Required)	String	Key used to encrypt sensitive fields within the database. This value should never be changed once set, otherwise all reliant fields, for example, repository mirror username and password configurations, are invalidated. This value is set automatically by the Project Quay Operator for Operator-based deployments. For standalone deployments, administrators can provide their own key using Open SSL or a similar tool. Key length should not exceed 63 characters.
SECRET_KEY (Required)	String	Key used to encrypt the session cookie and the CSRF token needed for correct interpretation of the user session. The value should not be changed when set. Should be persistent across all Project Quay instances. If not persistent across all instances, login failures and other errors related to session persistence might occur.
SETUP_COMPLETE (Required)	Boolean	This is an artifact left over from earlier versions of the software and currently it must be specified with a value of `true`.

Database configuration

This section describes the database configuration fields available for Project Quay deployments.

Database URI

With Project Quay, connection to the database is configured by using the required DB_URI field.

The following table describes the DB_URI configuration field:

Table 2. Database URI
Field	Type	Description
DB_URI (Required)	String	The URI for accessing the database, including any credentials. Example `DB_URI` field: postgresql://quayuser:quaypass@quay-server.example.com:5432/quay

Database connection arguments

Optional connection arguments are configured by the DB_CONNECTION_ARGS parameter. Some of the key-value pairs defined under DB_CONNECTION_ARGS are generic, while others are database specific.

The following table describes database connection arguments:

Table 3. Database connection arguments
Field	Type	Description
DB_CONNECTION_ARGS	Object	Optional connection arguments for the database, such as timeouts and SSL/TLS.
.autorollback	Boolean	Whether to use thread-local connections. Should always be `true`
.threadlocals	Boolean	Whether to use auto-rollback connections. Should always be `true`

PostgreSQL SSL/TLS connection arguments

With SSL/TLS, configuration depends on the database you are deploying. The following example shows a PostgreSQL SSL/TLS configuration:

DB_CONNECTION_ARGS:
  sslmode: verify-ca
  sslrootcert: /path/to/cacert

The sslmode option determines whether, or with, what priority a secure SSL/TLS TCP/IP connection will be negotiated with the server. There are six modes:

Table 4. SSL/TLS options
Mode	Description
disable	Your configuration only tries non-SSL/TLS connections.
allow	Your configuration first tries a non-SSL/TLS connection. Upon failure, tries an SSL/TLS connection.
prefer (Default)	Your configuration first tries an SSL/TLS connection. Upon failure, tries a non-SSL/TLS connection.
require	Your configuration only tries an SSL/TLS connection. If a root CA file is present, it verifies the certificate in the same way as if verify-ca was specified.
verify-ca	Your configuration only tries an SSL/TLS connection, and verifies that the server certificate is issued by a trusted certificate authority (CA).
verify-full	Only tries an SSL/TLS connection, and verifies that the server certificate is issued by a trusted CA and that the requested server hostname matches that in the certificate.

For more information on the valid arguments for PostgreSQL, see Database Connection Control Functions.

MySQL SSL/TLS connection arguments

The following example shows a sample MySQL SSL/TLS configuration:

DB_CONNECTION_ARGS:
  ssl:
    ca: /path/to/cacert

Information on the valid connection arguments for MySQL is available at Connecting to the Server Using URI-Like Strings or Key-Value Pairs.

Image storage

This section details the image storage features and configuration fields that are available with Project Quay.

Image storage features

The following table describes the image storage features for Project Quay:

Table 5. Storage config features
Field	Type	Description
FEATURE_REPO_MIRROR	Boolean	If set to true, enables repository mirroring. Default: `false`
FEATURE_PROXY_STORAGE	Boolean	Whether to proxy all direct download URLs in storage through NGINX. Default: `false`
FEATURE_STORAGE_REPLICATION	Boolean	Whether to automatically replicate between storage engines. Default: `false`

Image storage configuration fields

The following table describes the image storage configuration fields for Project Quay:

Table 6. Storage config fields
Field	Type	Description
DISTRIBUTED_STORAGE_CONFIG (Required)	Object	Configuration for storage engine(s) to use in Project Quay. Each key represents an unique identifier for a storage engine. The value consists of a tuple of (key, value) forming an object describing the storage engine parameters. Default: `[]`
DISTRIBUTED_STORAGE_DEFAULT_LOCATIONS (Required)	Array of string	The list of storage engine(s) (by ID in `DISTRIBUTED_STORAGE_CONFIG`) whose images should be fully replicated, by default, to all other storage engines.
DISTRIBUTED_STORAGE_PREFERENCE (Required)	Array of string	The preferred storage engine(s) (by ID in `DISTRIBUTED_STORAGE_CONFIG`) to use. A preferred engine means it is first checked for pulling and images are pushed to it. Default: `false`
MAXIMUM_LAYER_SIZE	String	Maximum allowed size of an image layer. Pattern: `^[0-9]+(G\|M)$` Example: `100G` Default: `20G`

Local storage

The following YAML shows a sample configuration using local storage:

DISTRIBUTED_STORAGE_CONFIG:
  default:
    - LocalStorage
    - storage_path: /datastorage/registry
DISTRIBUTED_STORAGE_DEFAULT_LOCATIONS: []
DISTRIBUTED_STORAGE_PREFERENCE:
    - default

OpenShift Container Storage/NooBaa

The following YAML shows a sample configuration using an OpenShift Container Storage/NooBaa instance:

DISTRIBUTED_STORAGE_CONFIG:
  rhocsStorage:
    - RHOCSStorage
    - access_key: access_key_here
      secret_key: secret_key_here
      bucket_name: quay-datastore-9b2108a3-29f5-43f2-a9d5-2872174f9a56
      hostname: s3.openshift-storage.svc.cluster.local
      is_secure: 'true'
      port: '443'
      storage_path: /datastorage/registry
      maximum_chunk_size_mb: 100 (1)
      server_side_assembly: true (2)

Defines the maximum chunk size, in MB, for the final copy. Has no effect if server_side_assembly is set to false.
Optional. Whether Project Quay should try and use server side assembly and the final chunked copy instead of client assembly. Defaults to true.

Ceph Object Gateway/RadosGW storage

The following YAML shows a sample configuration using Ceph/RadosGW.

Note

RadosGW is an on-premises S3-compatible storage solution. Note that this differs from general AWS S3Storage, which is specifically designed for use with Amazon Web Services S3. This means that RadosGW implements the S3 API and requires credentials like access_key, secret_key, and bucket_name. For more information about Ceph Object Gateway and the S3 API, see Ceph Object Gateway and the S3 API.

RadosGW with general s3 access

DISTRIBUTED_STORAGE_CONFIG:
  radosGWStorage: (1)
    - RadosGWStorage
    - access_key: <access_key_here>
      bucket_name: <bucket_name_here>
      hostname: <hostname_here>
      is_secure: true
      port: '443'
      secret_key: <secret_key_here>
      storage_path: /datastorage/registry
      maximum_chunk_size_mb: 100 (2)
      server_side_assembly: true (3)

Used for general s3 access. Note that general s3 access is not strictly limited to Amazon Web Services (AWS) s3, and can be used with RadosGW or other storage services. For an example of general s3 access using the AWS S3 driver, see "AWS S3 storage".
Optional. Defines the maximum chunk size in MB for the final copy. Has no effect if server_side_assembly is set to false.
Optional. Whether Project Quay should try and use server side assembly and the final chunked copy instead of client assembly. Defaults to true.

AWS S3 storage

The following YAML shows a sample configuration using AWS S3 storage.

# ...
DISTRIBUTED_STORAGE_CONFIG:
  default:
    - S3Storage (1)
    - host: s3.us-east-2.amazonaws.com
      s3_access_key: ABCDEFGHIJKLMN
      s3_secret_key: OL3ABCDEFGHIJKLMN
      s3_bucket: quay_bucket
      s3_region: <region> (2)
      storage_path: /datastorage/registry
DISTRIBUTED_STORAGE_DEFAULT_LOCATIONS: []
DISTRIBUTED_STORAGE_PREFERENCE:
    - default
# ...

The S3Storage storage driver should only be used for AWS S3 buckets. Note that this differs from general S3 access, where the RadosGW driver or other storage services can be used. For an example, see "Example B: Using RadosGW with general S3 access".
Optional. The Amazon Web Services region. Defaults to us-east-1.

AWS STS S3 storage

The following YAML shows an example configuration for using Amazon Web Services (AWS) Security Token Service (STS) with Red Hat Quay on OpenShift Container Platform configurations.

# ...
DISTRIBUTED_STORAGE_CONFIG:
   default:
    - STSS3Storage
    - sts_role_arn: <role_arn> (1)
      s3_bucket: <s3_bucket_name>
      storage_path: <storage_path>
      sts_user_access_key: <s3_user_access_key> (2)
      sts_user_secret_key: <s3_user_secret_key> (3)
      s3_region: <region> (4)
DISTRIBUTED_STORAGE_DEFAULT_LOCATIONS: []
DISTRIBUTED_STORAGE_PREFERENCE:
    - default
# ...

The unique Amazon Resource Name (ARN).
The generated AWS S3 user access key.
The generated AWS S3 user secret key.
Optional. The Amazon Web Services region. Defaults to us-east-1.

Google Cloud Storage

The following YAML shows a sample configuration using Google Cloud Storage:

DISTRIBUTED_STORAGE_CONFIG:
    googleCloudStorage:
        - GoogleCloudStorage
        - access_key: GOOGQIMFB3ABCDEFGHIJKLMN
          bucket_name: quay-bucket
          secret_key: FhDAYe2HeuAKfvZCAGyOioNaaRABCDEFGHIJKLMN
          storage_path: /datastorage/registry
          boto_timeout: 120 (1)
DISTRIBUTED_STORAGE_DEFAULT_LOCATIONS: []
DISTRIBUTED_STORAGE_PREFERENCE:
    - googleCloudStorage

Optional. The time, in seconds, until a timeout exception is thrown when attempting to read from a connection. The default is 60 seconds. Also encompasses the time, in seconds, until a timeout exception is thrown when attempting to make a connection. The default is 60 seconds.

Azure Storage

The following YAML shows a sample configuration using Azure Storage:

DISTRIBUTED_STORAGE_CONFIG:
  azureStorage:
    - AzureStorage
    - azure_account_name: azure_account_name_here
      azure_container: azure_container_here
      storage_path: /datastorage/registry
      azure_account_key: azure_account_key_here
      sas_token: some/path/
      endpoint_url: https://[account-name].blob.core.usgovcloudapi.net (1)
DISTRIBUTED_STORAGE_DEFAULT_LOCATIONS: []
DISTRIBUTED_STORAGE_PREFERENCE:
    - azureStorage

The endpoint_url parameter for Azure storage is optional and can be used with Microsoft Azure Government (MAG) endpoints. If left blank, the endpoint_url will connect to the normal Azure region.

As of Project Quay 3.7, you must use the Primary endpoint of your MAG Blob service. Using the Secondary endpoint of your MAG Blob service will result in the following error: AuthenticationErrorDetail:Cannot find the claimed account when trying to GetProperties for the account whusc8-secondary.

Swift storage

The following YAML shows a sample configuration using Swift storage:

DISTRIBUTED_STORAGE_CONFIG:
  swiftStorage:
    - SwiftStorage
    - swift_user: swift_user_here
      swift_password: swift_password_here
      swift_container: swift_container_here
      auth_url: https://example.org/swift/v1/quay
      auth_version: 3
      os_options:
        tenant_id: <osp_tenant_id_here>
        user_domain_name: <osp_domain_name_here>
      ca_cert_path: /conf/stack/swift.cert"
      storage_path: /datastorage/registry
DISTRIBUTED_STORAGE_DEFAULT_LOCATIONS: []
DISTRIBUTED_STORAGE_PREFERENCE:
    - swiftStorage

Nutanix object storage

The following YAML shows a sample configuration using Nutanix object storage.

DISTRIBUTED_STORAGE_CONFIG:
  nutanixStorage: #storage config name
    - RadosGWStorage #actual driver
    - access_key: access_key_here #parameters
      secret_key: secret_key_here
      bucket_name: bucket_name_here
      hostname: hostname_here
      is_secure: 'true'
      port: '443'
      storage_path: /datastorage/registry
DISTRIBUTED_STORAGE_DEFAULT_LOCATIONS: []
DISTRIBUTED_STORAGE_PREFERENCE: #must contain name of the storage config
    - nutanixStorage

IBM Cloud object storage

The following YAML shows a sample configuration using IBM Cloud object storage.

DISTRIBUTED_STORAGE_CONFIG:
  default:
  - IBMCloudStorage #actual driver
  - access_key: <access_key_here> #parameters
    secret_key: <secret_key_here>
    bucket_name: <bucket_name_here>
    hostname: <hostname_here>
    is_secure: 'true'
    port: '443'
    storage_path: /datastorage/registry
    maximum_chunk_size_mb: 100mb (1)
DISTRIBUTED_STORAGE_DEFAULT_LOCATIONS:
- default
DISTRIBUTED_STORAGE_PREFERENCE:
- default

Optional. Recommended to be set to 100mb.

NetApp ONTAP S3 object storage

The following YAML shows a sample configuration using NetApp ONTAP S3.

DISTRIBUTED_STORAGE_CONFIG:
  local_us:
  - RadosGWStorage
  - access_key: <access_key>
    bucket_name: <bucket_name>
    hostname: <host_url_address>
    is_secure: true
    port: <port>
    secret_key: <secret_key>
    storage_path: /datastorage/registry
    signature_version: v4
DISTRIBUTED_STORAGE_DEFAULT_LOCATIONS:
- local_us
DISTRIBUTED_STORAGE_PREFERENCE:
- local_us

Hitachi Content Platform object storage

The following YAML shows a sample configuration using HCP for object storage.

Example HCP storage configuration

DISTRIBUTED_STORAGE_CONFIG:
  hcp_us:
  - RadosGWStorage
  - access_key: <access_key>
    bucket_name: <bucket_name>
    hostname: <hitachi_hostname_example>
    is_secure: true
    secret_key: <secret_key>
    storage_path: /datastorage/registry
    signature_version: v4
DISTRIBUTED_STORAGE_DEFAULT_LOCATIONS:
- hcp_us
DISTRIBUTED_STORAGE_PREFERENCE:
- hcp_us

Redis configuration fields

This section details the configuration fields available for Redis deployments.

Build logs

The following build logs configuration fields are available for Redis deployments:

Table 7. Build logs configuration
Field	Type	Description
BUILDLOGS_REDIS (Required)	Object	Redis connection details for build logs caching.
.host (Required)	String	The hostname at which Redis is accessible. Example: `quay-server.example.com`
.port (Required)	Number	The port at which Redis is accessible. Example: `6379`
.password	String	The password to connect to the Redis instance. Example: `strongpassword`
.ssl (Optional)	Boolean	Whether to enable TLS communication between Redis and Quay. Defaults to false.

User events

The following user event fields are available for Redis deployments:

Table 8. User events config
Field	Type	Description
USER_EVENTS_REDIS (Required)	Object	Redis connection details for user event handling.
.host (Required)	String	The hostname at which Redis is accessible. Example: `quay-server.example.com`
.port (Required)	Number	The port at which Redis is accessible. Example: `6379`
.password	String	The password to connect to the Redis instance. Example: `strongpassword`
.ssl	Boolean	Whether to enable TLS communication between Redis and Quay. Defaults to false.
.ssl_keyfile (Optional)	String	The name of the key database file, which houses the client certificate to be used. Example: `ssl_keyfile: /path/to/server/privatekey.pem`
.ssl_certfile (Optional)	String	Used for specifying the file path of the SSL certificate. Example: `ssl_certfile: /path/to/server/certificate.pem`
.ssl_cert_reqs (Optional)	String	Used to specify the level of certificate validation to be performed during the SSL/TLS handshake. Example: `ssl_cert_reqs: CERT_REQUIRED`
.ssl_ca_certs (Optional)	String	Used to specify the path to a file containing a list of trusted Certificate Authority (CA) certificates. Example: `ssl_ca_certs: /path/to/ca_certs.pem`
.ssl_ca_data (Optional)	String	Used to specify a string containing the trusted CA certificates in PEM format. Example: `ssl_ca_data: <certificate>`
.ssl_check_hostname (Optional)	Boolean	Used when setting up an SSL/TLS connection to a server. It specifies whether the client should check that the hostname in the server’s SSL/TLS certificate matches the hostname of the server it is connecting to. Example: `ssl_check_hostname: true`

Example Redis configuration

The following YAML shows a sample configuration using Redis with optional SSL/TLS fields:

BUILDLOGS_REDIS:
  host: quay-server.example.com
  password: strongpassword
  port: 6379
  ssl: true


USER_EVENTS_REDIS:
  host: quay-server.example.com
  password: strongpassword
  port: 6379
  ssl: true
  ssl_*: <path_location_or_certificate>

Note	If your deployment uses Azure Cache for Redis and `ssl` is set to `true`, the port defaults to `6380`.

ModelCache configuration options

The following options are available on Project Quay for configuring ModelCache.

Memcache configuration option

Memcache is the default ModelCache configuration option. With Memcache, no additional configuration is necessary.

Single Redis configuration option

The following configuration is for a single Redis instance with optional read-only replicas:

    DATA_MODEL_CACHE_CONFIG:
      engine: redis
      redis_config:
        primary:
            host: <host>
            port: <port>
            password: <password if ssl is true>
           ssl: <true | false >
        replica:
            host: <host>
            port: <port>
            password: <password if ssl is true>
           ssl: <true | false >

Clustered Redis configuration option

Use the following configuration for a clustered Redis instance:

    DATA_MODEL_CACHE_CONFIG:
      engine: rediscluster
      redis_config:
        startup_nodes:
          - host: <cluster-host>
            port: <port>
        password: <password if ssl: true>
        read_from_replicas: <true|false>
        skip_full_coverage_check: <true | false>
        ssl: <true | false >

Tag expiration configuration fields

The following tag expiration configuration fields are available with Project Quay:

Table 9. Tag expiration configuration fields
Field	Type	Description
FEATURE_GARBAGE_COLLECTION	Boolean	Whether garbage collection of repositories is enabled. Default: True
TAG_EXPIRATION_OPTIONS (Required)	Array of string	If enabled, the options that users can select for expiration of tags in their namespace. Pattern: `^[0-9]+(y\|w\|m\|d\|h\|s)$`
DEFAULT_TAG_EXPIRATION (Required)	String	The default, configurable tag expiration time for time machine. Pattern: `^[0-9]+(w\|m\|d\|h\|s)$` Default: `2w`
FEATURE_CHANGE_TAG_EXPIRATION	Boolean	Whether users and organizations are allowed to change the tag expiration for tags in their namespace. Default: True
FEATURE_AUTO_PRUNE	Boolean	When set to `True`, enables functionality related to the auto-pruning of tags. Default: `False`
NOTIFICATION_TASK_RUN_MINIMUM_INTERVAL_MINUTES	Integer	The interval, in minutes, that defines the frequency to re-run notifications for expiring images. Default: `300`
DEFAULT_NAMESPACE_AUTOPRUNE_POLICY	Object	The default organization-wide auto-prune policy.
.method: number_of_tags	Object	The option specifying the number of tags to keep.
.value: <integer>	Integer	When used with method: number_of_tags, denotes the number of tags to keep. For example, to keep two tags, specify `2`.
.creation_date	Object	The option specifying the duration of which to keep tags.
.value: <integer>	Integer	When used with creation_date, denotes how long to keep tags. Can be set to seconds (`s`), days (`d`), months (`m`), weeks (`w`), or years (`y`). Must include a valid integer. For example, to keep tags for one year, specify `1y`.
AUTO_PRUNING_DEFAULT_POLICY_POLL_PERIOD	Integer	The period in which the auto-pruner worker runs at the registry level. By default, it is set to run one time per day (one time per 24 hours). Value must be in seconds.

Example tag expiration configuration

The following YAML example shows you a sample tag expiration configuration.

# ...
DEFAULT_TAG_EXPIRATION: 2w
TAG_EXPIRATION_OPTIONS:
    - 0s
    - 1d
    - 1w
    - 2w
    - 4w
    - 3y
# ...

Registry-wide auto-prune policies examples

The following YAML examples show you registry-wide auto-pruning examples by both number of tags and creation date.

Example registry auto-prune policy by number of tags

# ...
DEFAULT_NAMESPACE_AUTOPRUNE_POLICY:
  method: number_of_tags
  value: 10 (1)
# ...

In this scenario, ten tags remain.

Example registry auto-prune policy by creation date

# ...
DEFAULT_NAMESPACE_AUTOPRUNE_POLICY:
  method: creation_date
  value: 1y
# ...

Quota management configuration fields

Table 10. Quota management configuration
Field	Type	Description
FEATURE_QUOTA_MANAGEMENT	Boolean	Enables configuration, caching, and validation for quota management feature. Default: `False`
DEFAULT_SYSTEM_REJECT_QUOTA_BYTES	String	Enables system default quota reject byte allowance for all organizations. By default, no limit is set.
QUOTA_BACKFILL	Boolean	Enables the quota backfill worker to calculate the size of pre-existing blobs. Default: `True`
QUOTA_TOTAL_DELAY_SECONDS	String	The time delay for starting the quota backfill. Rolling deployments can cause incorrect totals. This field must be set to a time longer than it takes for the rolling deployment to complete. Default: `1800`
PERMANENTLY_DELETE_TAGS	Boolean	Enables functionality related to the removal of tags from the time machine window. Default: `False`
RESET_CHILD_MANIFEST_EXPIRATION	Boolean	Resets the expirations of temporary tags targeting the child manifests. With this feature set to `True`, child manifests are immediately garbage collected. Default: `False`

Example quota management configuration

The following YAML is the suggested configuration when enabling quota management.

Quota management YAML configuration

FEATURE_QUOTA_MANAGEMENT: true
FEATURE_GARBAGE_COLLECTION: true
PERMANENTLY_DELETE_TAGS: true
QUOTA_TOTAL_DELAY_SECONDS: 1800
RESET_CHILD_MANIFEST_EXPIRATION: true

Proxy cache configuration fields

Table 11. Proxy configuration
Field	Type	Description
FEATURE_PROXY_CACHE	Boolean	Enables Project Quay to act as a pull through cache for upstream registries. Default: `false`

Robot account configuration fields

Table 12. Robot account configuration fields
Field	Type	Description
ROBOTS_DISALLOW	Boolean	When set to `true`, robot accounts are prevented from all interactions, as well as from being created Default: `False`

Pre-configuring Project Quay for automation

Project Quay supports several configuration options that enable automation. Users can configure these options before deployment to reduce the need for interaction with the user interface.

Allowing the API to create the first user

To create the first user, users need to set the FEATURE_USER_INITIALIZE parameter to true and call the /api/v1/user/initialize API. Unlike all other registry API calls that require an OAuth token generated by an OAuth application in an existing organization, the API endpoint does not require authentication.

Users can use the API to create a user such as quayadmin after deploying Project Quay, provided no other users have been created. For more information, see Using the API to create the first user.

Enabling general API access

Users should set the BROWSER_API_CALLS_XHR_ONLY configuration option to false to allow general access to the Project Quay registry API.

Adding a superuser

After deploying Project Quay, users can create a user and give the first user administrator privileges with full permissions. Users can configure full permissions in advance by using the SUPER_USER configuration object. For example:

# ...
SERVER_HOSTNAME: quay-server.example.com
SETUP_COMPLETE: true
SUPER_USERS:
  - quayadmin
# ...

Restricting user creation

After you have configured a superuser, you can restrict the ability to create new users to the superuser group by setting the FEATURE_USER_CREATION to false. For example:

# ...
FEATURE_USER_INITIALIZE: true
BROWSER_API_CALLS_XHR_ONLY: false
SUPER_USERS:
- quayadmin
FEATURE_USER_CREATION: false
# ...

Enabling new functionality in Project Quay 3.13

To use new Project Quay 3.13 functions, enable some or all of the following features:

# ...
FEATURE_UI_V2: true
FEATURE_UI_V2_REPO_SETTINGS: true
FEATURE_AUTO_PRUNE: true
ROBOTS_DISALLOW: false
# ...

Suggested configuration for automation

The following config.yaml parameters are suggested for automation:

# ...
FEATURE_USER_INITIALIZE: true
BROWSER_API_CALLS_XHR_ONLY: false
SUPER_USERS:
- quayadmin
FEATURE_USER_CREATION: false
# ...

Deploying the Project Quay Operator using the initial configuration

Use the following procedure to deploy Project Quay on OpenShift Container Platform using the initial configuration.

Prerequisites

You have installed the oc CLI.

Procedure

Create a secret using the configuration file:

$ oc create secret generic -n quay-enterprise --from-file config.yaml=./config.yaml init-config-bundle-secret

Create a quayregistry.yaml file. Identify the unmanaged components and reference the created secret, for example:

apiVersion: quay.redhat.com/v1
kind: QuayRegistry
metadata:
  name: example-registry
  namespace: quay-enterprise
spec:
  configBundleSecret: init-config-bundle-secret

Deploy the Project Quay registry:

$ oc create -n quay-enterprise -f quayregistry.yaml

Next Steps

Using the API to create the first user

Using the API to create the first user

Use the following procedure to create the first user in your Project Quay organization.

Prerequisites

The config option FEATURE_USER_INITIALIZE must be set to true.
No users can already exist in the database.

Note	Procedure This procedure requests an OAuth token by specifying `"access_token": true`.

Open your Project Quay configuration file and update the following configuration fields:
```
FEATURE_USER_INITIALIZE: true
SUPER_USERS:
     -  quayadmin
```
Stop the Project Quay service by entering the following command:
```
$ sudo podman stop quay
```

Start the Project Quay service by entering the following command:

$ sudo podman run -d -p 80:8080 -p 443:8443 --name=quay -v $QUAY/config:/conf/stack:Z  -v $QUAY/storage:/datastorage:Z {productrepo}/{quayimage}:{productminv}

Run the following CURL command to generate a new user with a username, password, email, and access token:

$ curl -X POST -k  http://quay-server.example.com/api/v1/user/initialize --header 'Content-Type: application/json' --data '{ "username": "quayadmin", "password":"quaypass12345", "email": "quayadmin@example.com", "access_token": true}'

If successful, the command returns an object with the username, email, and encrypted password. For example:

{"access_token":"6B4QTRSTSD1HMIG915VPX7BMEZBVB9GPNY2FC2ED", "email":"quayadmin@example.com","encrypted_password":"1nZMLH57RIE5UGdL/yYpDOHLqiNCgimb6W9kfF8MjZ1xrfDpRyRs9NUnUuNuAitW","username":"quayadmin"} # gitleaks:allow

If a user already exists in the database, an error is returned:

{"message":"Cannot initialize user in a non-empty database"}

If your password is not at least eight characters or contains whitespace, an error is returned:

{"message":"Failed to initialize user: Invalid password, password must be at least 8 characters and contain no whitespace."}

$ sudo podman login -u quayadmin -p quaypass12345 http://quay-server.example.com --tls-verify=false

Example output

Login Succeeded!

Using the OAuth token

After invoking the API, you can call out the rest of the Project Quay API by specifying the returned OAuth code.

Prerequisites

You have invoked the /api/v1/user/initialize API, and passed in the username, password, and email address.

Procedure

Obtain the list of current users by entering the following command:

$ curl -X GET -k -H "Authorization: Bearer 6B4QTRSTSD1HMIG915VPX7BMEZBVB9GPNY2FC2ED" https://example-registry-quay-quay-enterprise.apps.docs.quayteam.org/api/v1/superuser/users/

Example output:

{
    "users": [
        {
            "kind": "user",
            "name": "quayadmin",
            "username": "quayadmin",
            "email": "quayadmin@example.com",
            "verified": true,
            "avatar": {
                "name": "quayadmin",
                "hash": "3e82e9cbf62d25dec0ed1b4c66ca7c5d47ab9f1f271958298dea856fb26adc4c",
                "color": "#e7ba52",
                "kind": "user"
            },
            "super_user": true,
            "enabled": true
        }
    ]
}

In this instance, the details for the quayadmin user are returned as it is the only user that has been created so far.

Using the API to create an organization

The following procedure details how to use the API to create a Project Quay organization.

Prerequisites

You have invoked the /api/v1/user/initialize API, and passed in the username, password, and email address.
You have called out the rest of the Project Quay API by specifying the returned OAuth code.

Procedure

To create an organization, use a POST call to api/v1/organization/ endpoint:

$ curl -X POST -k --header 'Content-Type: application/json' -H "Authorization: Bearer 6B4QTRSTSD1HMIG915VPX7BMEZBVB9GPNY2FC2ED" https://example-registry-quay-quay-enterprise.apps.docs.quayteam.org/api/v1/organization/ --data '{"name": "testorg", "email": "testorg@example.com"}'

Example output:

"Created"

You can retrieve the details of the organization you created by entering the following command:

$ curl -X GET -k --header 'Content-Type: application/json' -H "Authorization: Bearer 6B4QTRSTSD1HMIG915VPX7BMEZBVB9GPNY2FC2ED" https://min-registry-quay-quay-enterprise.apps.docs.quayteam.org/api/v1/organization/testorg

Example output:

{
    "name": "testorg",
    "email": "testorg@example.com",
    "avatar": {
        "name": "testorg",
        "hash": "5f113632ad532fc78215c9258a4fb60606d1fa386c91b141116a1317bf9c53c8",
        "color": "#a55194",
        "kind": "user"
    },
    "is_admin": true,
    "is_member": true,
    "teams": {
        "owners": {
            "name": "owners",
            "description": "",
            "role": "admin",
            "avatar": {
                "name": "owners",
                "hash": "6f0e3a8c0eb46e8834b43b03374ece43a030621d92a7437beb48f871e90f8d90",
                "color": "#c7c7c7",
                "kind": "team"
            },
            "can_view": true,
            "repo_count": 0,
            "member_count": 1,
            "is_synced": false
        }
    },
    "ordered_teams": [
        "owners"
    ],
    "invoice_email": false,
    "invoice_email_address": null,
    "tag_expiration_s": 1209600,
    "is_free_account": true
}

Basic configuration fields

Table 13. Basic configuration
Field	Type	Description
REGISTRY_TITLE	String	If specified, the long-form title for the registry. Displayed in frontend of your Project Quay deployment, for example, at the sign in page of your organization. Should not exceed 35 characters. Default: `Red Hat Quay`
REGISTRY_TITLE_SHORT	String	If specified, the short-form title for the registry. Title is displayed on various pages of your organization, for example, as the title of the tutorial on your organization’s Tutorial page. Default: `Red Hat Quay`
CONTACT_INFO	Array of String	If specified, contact information to display on the contact page. If only a single piece of contact information is specified, the contact footer will link directly.
[0]	String	Adds a link to send an e-mail. Pattern: `^mailto:(.)+$` Example: `mailto:support@quay.io`
[1]	String	Adds a link to visit an IRC chat room. Pattern: `^irc://(.)+$` Example: `irc://chat.freenode.net:6665/quay`
[2]	String	Adds a link to call a phone number. Pattern: `^tel:(.)+$` Example: `tel:+1-888-930-3475`
[3]	String	Adds a link to a defined URL. Pattern: `^http(s)?://(.)+$` Example: `https://twitter.com/quayio`

SSL configuration fields

Table 14. SSL configuration
Field	Type	Description
PREFERRED_URL_SCHEME	String	One of `http` or `https`. Note that users only set their `PREFERRED_URL_SCHEME` to `http` when there is no TLS encryption in the communication path from the client to Quay. Users must set their PREFERRED_URL_SCHEME`to `https when using a TLS-terminating load balancer, a reverse proxy (for example, Nginx), or when using Quay with custom SSL certificates directly. In most cases, the `PREFERRED_URL_SCHEME` should be `https`. Default: `http`
SERVER_HOSTNAME (Required)	String	The URL at which Project Quay is accessible, without the scheme Example: `quay-server.example.com`
SSL_CIPHERS	Array of String	If specified, the nginx-defined list of SSL ciphers to enabled and disabled Example: [`ECDHE-RSA-AES128-GCM-SHA256`, `ECDHE-ECDSA-AES128-GCM-SHA256`, `ECDHE-RSA-AES256-GCM-SHA384`, `ECDHE-ECDSA-AES256-GCM-SHA384`, `DHE-RSA-AES128-GCM-SHA256`, `DHE-DSS-AES128-GCM-SHA256`, `kEDH+AESGCM`, `ECDHE-RSA-AES128-SHA256`, `ECDHE-ECDSA-AES128-SHA256`, `ECDHE-RSA-AES128-SHA`, `ECDHE-ECDSA-AES128-SHA`, `ECDHE-RSA-AES256-SHA384`, `ECDHE-ECDSA-AES256-SHA384`, `ECDHE-RSA-AES256-SHA`, `ECDHE-ECDSA-AES256-SHA`, `DHE-RSA-AES128-SHA256`, `DHE-RSA-AES128-SHA`, `DHE-DSS-AES128-SHA256`, `DHE-RSA-AES256-SHA256`, `DHE-DSS-AES256-SHA`, `DHE-DSS-AES256-SHA`, `AES128-GCM-SHA256`, `AES256-GCM-SHA384`, `AES128-SHA256`, `AES256-SHA256`, `AES128-SHA`, `AES256-SHA`, `AES`, `!3DES"`, `!aNULL`, `!eNULL`, `!EXPORT`, `DES`, `!RC4`, `MD5`, `!PSK`, `!aECDH`, `!EDH-DSS-DES-CBC3-SHA`, `!EDH-RSA-DES-CBC3-SHA`, `!KRB5-DES-CBC3-SHA`]
SSL_PROTOCOLS	Array of String	If specified, nginx is configured to enabled a list of SSL protocols defined in the list. Removing an SSL protocol from the list disables the protocol during Project Quay startup. Example: ['TLSv1','TLSv1.1','TLSv1.2', `TLSv1.3]`
SESSION_COOKIE_SECURE	Boolean	Whether the `secure` property should be set on session cookies Default: False Recommendation: Set to True for all installations using SSL

Configuring SSL

Copy the certificate file and primary key file to your configuration directory, ensuring they are named ssl.cert and ssl.key respectively:
```
$ cp ~/ssl.cert $QUAY/config
$ cp ~/ssl.key $QUAY/config
$ cd $QUAY/config
```

Edit the config.yaml file and specify that you want Quay to handle TLS:

config.yaml

...
SERVER_HOSTNAME: quay-server.example.com
...
PREFERRED_URL_SCHEME: https
...

Stop the Quay container and restart the registry

Adding additional Certificate Authorities to the Project Quay container

The extra_ca_certs directory is the directory where additional Certificate Authorities (CAs) can be stored to extend the set of trusted certificates. These certificates are used by Project Quay to verify SSL/TLS connections with external services. When deploying Project Quay, you can place the necessary CAs in this directory to ensure that connections to services like LDAP, OIDC, and storage systems are properly secured and validated.

For standalone Project Quay deployments, you must create this directory and copy the additional CA certificates into that directory.

Prerequisites

You have a CA for the desired service.

Procedure

View the certificate to be added to the container by entering the following command:

$ cat storage.crt

Example output

-----BEGIN CERTIFICATE-----
MIIDTTCCAjWgAwIBAgIJAMVr9ngjJhzbMA0GCSqGSIb3DQEBCwUAMD0xCzAJBgNV...
-----END CERTIFICATE-----

Create the extra_ca_certs in the /config folder of your Project Quay directory by entering the following command:
```
$ mkdir -p /path/to/quay_config_folder/extra_ca_certs
```

Copy the CA file to the extra_ca_certs folder. For example:

$ cp storage.crt /path/to/quay_config_folder/extra_ca_certs/

Ensure that the storage.crt file exists within the extra_ca_certs folder by entering the following command:

$ tree /path/to/quay_config_folder/extra_ca_certs

Example output

/path/to/quay_config_folder/extra_ca_certs
├── storage.crt----

Obtain the CONTAINER ID of your Quay consider by entering the following command:

$ podman ps

Example output

CONTAINER ID        IMAGE                                COMMAND                  CREATED             STATUS              PORTS
5a3e82c4a75f        <registry>/<repo>/quay:{productminv} "/sbin/my_init"          24 hours ago        Up 18 hours         0.0.0.0:80->80/tcp, 0.0.0.0:443->443/tcp, 443/tcp   grave_keller

Restart the container by entering the following command
```
$ podman restart 5a3e82c4a75f
```

Confirm that the certificate was copied into the container namespace by running the following command:

$ podman exec -it 5a3e82c4a75f cat /etc/ssl/certs/storage.pem

Example output

-----BEGIN CERTIFICATE-----
MIIDTTCCAjWgAwIBAgIJAMVr9ngjJhzbMA0GCSqGSIb3DQEBCwUAMD0xCzAJBgNV...
-----END CERTIFICATE-----

LDAP configuration fields

Table 15. LDAP configuration
Field	Type	Description
AUTHENTICATION_TYPE (Required)	String	Must be set to `LDAP`.
FEATURE_TEAM_SYNCING	Boolean	Whether to allow for team membership to be synced from a backing group in the authentication engine (OIDC, LDAP, or Keystone). Default: `true`
FEATURE_NONSUPERUSER_TEAM_SYNCING_SETUP	Boolean	If enabled, non-superusers can setup team syncrhonization. Default: `false`
LDAP_ADMIN_DN	String	The admin DN for LDAP authentication.
LDAP_ADMIN_PASSWD	String	The admin password for LDAP authentication.
LDAP_ALLOW_INSECURE_FALLBACK	Boolean	Whether or not to allow SSL insecure fallback for LDAP authentication.
LDAP_BASE_DN	Array of String	The base DN for LDAP authentication.
LDAP_EMAIL_ATTR	String	The email attribute for LDAP authentication.
LDAP_UID_ATTR	String	The uid attribute for LDAP authentication.
LDAP_URI	String	The LDAP URI.
LDAP_USER_FILTER	String	The user filter for LDAP authentication.
LDAP_USER_RDN	Array of String	The user RDN for LDAP authentication.
LDAP_SECONDARY_USER_RDNS	Array of String	Provide Secondary User Relative DNs if there are multiple Organizational Units where user objects are located.
TEAM_RESYNC_STALE_TIME	String	If team syncing is enabled for a team, how often to check its membership and resync if necessary. Pattern: `^[0-9]+(w\|m\|d\|h\|s)$` Example: `2h` Default: `30m`
LDAP_SUPERUSER_FILTER	String	Subset of the `LDAP_USER_FILTER` configuration field. When configured, allows Project Quay administrators the ability to configure Lightweight Directory Access Protocol (LDAP) users as superusers when Project Quay uses LDAP as its authentication provider. With this field, administrators can add or remove superusers without having to update the Project Quay configuration file and restart their deployment. This field requires that your `AUTHENTICATION_TYPE` is set to `LDAP`.
GLOBAL_READONLY_SUPER_USERS	String	When set, grants users of this list read access to all repositories, regardless of whether they are public repositories. Only works for those superusers defined with the `LDAP_SUPERUSER_FILTER` configuration field.
LDAP_RESTRICTED_USER_FILTER	String	Subset of the `LDAP_USER_FILTER` configuration field. When configured, allows Project Quay administrators the ability to configure Lightweight Directory Access Protocol (LDAP) users as restricted users when Project Quay uses LDAP as its authentication provider. This field requires that your `AUTHENTICATION_TYPE` is set to `LDAP`.
FEATURE_RESTRICTED_USERS	Boolean	When set to `True` with `LDAP_RESTRICTED_USER_FILTER` active, only the listed users in the defined LDAP group are restricted. Default: `False`
LDAP_TIMEOUT	Integer	Specifies the time limit, in seconds, for LDAP operations. This limits the amount of time an LDAP search, bind, or other operation can take. Similar to the `-l` option in `ldapsearch`, it sets a client-side operation timeout. Default: `10`
LDAP_NETWORK_TIMEOUT	Integer	Specifies the time limit, in seconds, for establishing a connection to the LDAP server. This is the maximum time Project Quay waits for a response during network operations, similar to the `-o nettimeout` option in `ldapsearch`. Default: `10`

LDAP configuration references

Use the following references to update your config.yaml file with the desired LDAP settings.

Basic LDAP configuration

Use the following reference for a basic LDAP configuration.

---
AUTHENTICATION_TYPE: LDAP (1)
---
LDAP_ADMIN_DN: uid=<name>,ou=Users,o=<organization_id>,dc=<example_domain_component>,dc=com (2)
LDAP_ADMIN_PASSWD: ABC123 (3)
LDAP_ALLOW_INSECURE_FALLBACK: false (4)
LDAP_BASE_DN: (5)
  - dc=example
  - dc=com
LDAP_EMAIL_ATTR: mail (6)
LDAP_UID_ATTR: uid (7)
LDAP_URI: ldap://<example_url>.com (8)
LDAP_USER_FILTER: (memberof=cn=developers,ou=Users,dc=<domain_name>,dc=com) (9)
LDAP_USER_RDN: (10)
  - ou=people
LDAP_SECONDARY_USER_RDNS: (11)
    - ou=<example_organization_unit_one>
    - ou=<example_organization_unit_two>
    - ou=<example_organization_unit_three>
    - ou=<example_organization_unit_four>

Required. Must be set to LDAP.
Required. The admin DN for LDAP authentication.
Required. The admin password for LDAP authentication.
Required. Whether to allow SSL/TLS insecure fallback for LDAP authentication.
Required. The base DN for LDAP authentication.
Required. The email attribute for LDAP authentication.
Required. The UID attribute for LDAP authentication.
Required. The LDAP URI.
Required. The user filter for LDAP authentication.
Required. The user RDN for LDAP authentication.
Optional. Secondary User Relative DNs if there are multiple Organizational Units where user objects are located.

LDAP restricted user configuration

Use the following reference for an LDAP restricted user configuration.

# ...
AUTHENTICATION_TYPE: LDAP
# ...
FEATURE_RESTRICTED_USERS: true (1)
# ...
LDAP_ADMIN_DN: uid=<name>,ou=Users,o=<organization_id>,dc=<example_domain_component>,dc=com
LDAP_ADMIN_PASSWD: ABC123
LDAP_ALLOW_INSECURE_FALLBACK: false
LDAP_BASE_DN:
    - o=<organization_id>
    - dc=<example_domain_component>
    - dc=com
LDAP_EMAIL_ATTR: mail
LDAP_UID_ATTR: uid
LDAP_URI: ldap://<example_url>.com
LDAP_USER_FILTER: (memberof=cn=developers,ou=Users,o=<example_organization_unit>,dc=<example_domain_component>,dc=com)
LDAP_RESTRICTED_USER_FILTER: (<filterField>=<value>) (2)
LDAP_USER_RDN:
    - ou=<example_organization_unit>
    - o=<organization_id>
    - dc=<example_domain_component>
    - dc=com
# ...

Must be set to true when configuring an LDAP restricted user.
Configures specified users as restricted users.

LDAP superuser configuration reference

Use the following reference for an LDAP superuser configuration.

# ...
AUTHENTICATION_TYPE: LDAP
# ...
LDAP_ADMIN_DN: uid=<name>,ou=Users,o=<organization_id>,dc=<example_domain_component>,dc=com
LDAP_ADMIN_PASSWD: ABC123
LDAP_ALLOW_INSECURE_FALLBACK: false
LDAP_BASE_DN:
    - o=<organization_id>
    - dc=<example_domain_component>
    - dc=com
LDAP_EMAIL_ATTR: mail
LDAP_UID_ATTR: uid
LDAP_URI: ldap://<example_url>.com
LDAP_USER_FILTER: (memberof=cn=developers,ou=Users,o=<example_organization_unit>,dc=<example_domain_component>,dc=com)
LDAP_SUPERUSER_FILTER: (<filterField>=<value>) (1)
LDAP_USER_RDN:
    - ou=<example_organization_unit>
    - o=<organization_id>
    - dc=<example_domain_component>
    - dc=com
# ...

Configures specified users as superusers.

Mirroring configuration fields

Table 16. Mirroring configuration
Field	Type	Description
FEATURE_REPO_MIRROR	Boolean	Enable or disable repository mirroring Default: `false`
REPO_MIRROR_INTERVAL	Number	The number of seconds between checking for repository mirror candidates Default: 30
REPO_MIRROR_SERVER_HOSTNAME	String	Replaces the `SERVER_HOSTNAME` as the destination for mirroring. Default: None Example: `openshift-quay-service`
REPO_MIRROR_TLS_VERIFY	Boolean	Require HTTPS and verify certificates of Quay registry during mirror. Default: `true`
REPO_MIRROR_ROLLBACK	Boolean	When set to `true`, the repository rolls back after a failed mirror attempt. Default: `false`

Security scanner configuration fields

Table 17. Security scanner configuration
Field	Type	Description
FEATURE_SECURITY_SCANNER	Boolean	Enable or disable the security scanner Default: `false`
FEATURE_SECURITY_NOTIFICATIONS	Boolean	If the security scanner is enabled, turn on or turn off security notifications Default: `false`
SECURITY_SCANNER_V4_REINDEX_THRESHOLD	String	This parameter is used to determine the minimum time, in seconds, to wait before re-indexing a manifest that has either previously failed or has changed states since the last indexing. The data is calculated from the `last_indexed datetime` in the manifestsecuritystatus table. This parameter is used to avoid trying to re-index every failed manifest on every indexing run. The default time to re-index is 300 seconds.
SECURITY_SCANNER_V4_ENDPOINT	String	The endpoint for the V4 security scanner Pattern: `^http(s)?://(.)+$` Example: `http://192.168.99.101:6060`
SECURITY_SCANNER_V4_PSK	String	The generated pre-shared key (PSK) for Clair
SECURITY_SCANNER_ENDPOINT	String	The endpoint for the V2 security scanner Pattern: `^http(s)?://(.)+$` Example: `http://192.168.99.100:6060`
SECURITY_SCANNER_INDEXING_INTERVAL	Integer	This parameter is used to determine the number of seconds between indexing intervals in the security scanner. When indexing is triggered, Project Quay will query its database for manifests that must be indexed by Clair. These include manifests that have not yet been indexed and manifests that previously failed indexing. Default: 30
FEATURE_SECURITY_SCANNER_NOTIFY_ON_NEW_INDEX	Boolean	Whether to allow sending notifications about vulnerabilities for new pushes. Default: `True`
SECURITY_SCANNER_V4_MANIFEST_CLEANUP	Boolean	Whether the Project Quay garbage collector removes manifests that are not referenced by other tags or manifests. Default: `True`
NOTIFICATION_MIN_SEVERITY_ON_NEW_INDEX	String	Set minimal security level for new notifications on detected vulnerabilities. Avoids creation of large number of notifications after first index. If not defined, defaults to `High`. Available options include `Critical`, `High`, `Medium`, `Low`, `Negligible`, and `Unknown`.
SECURITY_SCANNER_V4_INDEX_MAX_LAYER_SIZE	String	The maximum layer size allowed for indexing. If the layer size exceeds the configured size, the Project Quay UI returns the following message: `The manifest for this tag has layer(s) that are too large to index by the Quay Security Scanner`. The default is `8G`, and the maximum recommended is `10G`. Accepted values are `B`, `K`, `M`, `T`, and `G`. Default: `8G`

Re-indexing with Clair v4

When Clair v4 indexes a manifest, the result should be deterministic. For example, the same manifest should produce the same index report. This is true until the scanners are changed, as using different scanners will produce different information relating to a specific manifest to be returned in the report. Because of this, Clair v4 exposes a state representation of the indexing engine (/indexer/api/v1/index_state) to determine whether the scanner configuration has been changed.

Project Quay leverages this index state by saving it to the index report when parsing to Quay’s database. If this state has changed since the manifest was previously scanned, Project Quay will attempt to re-index that manifest during the periodic indexing process.

By default this parameter is set to 30 seconds. Users might decrease the time if they want the indexing process to run more frequently, for example, if they did not want to wait 30 seconds to see security scan results in the UI after pushing a new tag. Users can also change the parameter if they want more control over the request pattern to Clair and the pattern of database operations being performed on the Project Quay database.

Example security scanner configuration

The following YAML is the suggested configuration when enabling the security scanner feature.

Security scanner YAML configuration

FEATURE_SECURITY_NOTIFICATIONS: true
FEATURE_SECURITY_SCANNER: true
FEATURE_SECURITY_SCANNER_NOTIFY_ON_NEW_INDEX: true
...
SECURITY_SCANNER_INDEXING_INTERVAL: 30
SECURITY_SCANNER_V4_MANIFEST_CLEANUP: true
SECURITY_SCANNER_V4_ENDPOINT: http://quay-server.example.com:8081
SECURITY_SCANNER_V4_PSK: MTU5YzA4Y2ZkNzJoMQ==
SERVER_HOSTNAME: quay-server.example.com
SECURITY_SCANNER_V4_INDEX_MAX_LAYER_SIZE: 8G (1)
...

Recommended maximum is 10G.

Helm configuration fields

Table 18. Helm configuration fields
Field	Type	Description
FEATURE_GENERAL_OCI_SUPPORT	Boolean	Enable support for OCI artifacts. Default: True

The following Open Container Initiative (OCI) artifact types are built into Project Quay by default and are enabled through the FEATURE_GENERAL_OCI_SUPPORT configuration field:

Field Media Type Supported content types

Field	Media Type	Supported content types
Helm	`application/vnd.cncf.helm.config.v1+json`	`application/tar+gzip`, `application/vnd.cncf.helm.chart.content.v1.tar+gzip`
Cosign	`application/vnd.oci.image.config.v1+json`	`application/vnd.dev.cosign.simplesigning.v1+json`, `application/vnd.dsse.envelope.v1+json`
SPDX	`application/vnd.oci.image.config.v1+json`	`text/spdx`, `text/spdx+xml`, `text/spdx+json`
Syft	`application/vnd.oci.image.config.v1+json`	`application/vnd.syft+json`
CycloneDX	`application/vnd.oci.image.config.v1+json`	`application/vnd.cyclonedx`, `application/vnd.cyclonedx+xml`, `application/vnd.cyclonedx+json`
In-toto	`application/vnd.oci.image.config.v1+json`	`application/vnd.in-toto+json`
Unknown	`application/vnd.cncf.openpolicyagent.policy.layer.v1+rego`	`application/vnd.cncf.openpolicyagent.policy.layer.v1+rego`, `application/vnd.cncf.openpolicyagent.data.layer.v1+json`

Helm

application/vnd.cncf.helm.config.v1+json

application/tar+gzip, application/vnd.cncf.helm.chart.content.v1.tar+gzip

Cosign